UPDATE: Cyberwarfare and Collateral Damages

By Edoardo E. Artese and Valentin Vitkov

Edoardo E. Artese is a lawyer in Milan (Italy), working between Milan (Italy) and Bangkok (Thailand). He is the managing partner of AC Legal[1], a law firm based in Milan, and founding member of DirtICTo[2], an Italian association of IT experts. He collaborates with the University of Cagliari, Italy, Chair of Computer and New Technologies Law and ICT for Law & Forensics. His areas of interest are business law, Intellectual property law and information and telecommunications technologies. He graduated in law with a copyright law thesis on Databases. He speaks Italian, English and a little bit of Thai.

Valentin Vitkov is a lawyer in Milan, Italy. He collaborates with Milan State University, Faculty of Law, Chair of Legal Informatics. His areas of interest are the relationships between law and information and telecommunications technologies. He graduated in law at the Milan State University, with a copyright law thesis on the Creative Commons Licenses. He speaks Italian, Bulgarian, English and French.

NOTE: The views and opinions expressed in this article are the sole responsibility of the authors and reflect exclusively their personal views.

Published June 2019

See the Archive Version!

1. Introduction

The purpose of this paper is to offer an introductory overview on the collateral damages and victims of cyberwarfare. Cyberwarfare is a new type of warfare that poses numerous challenges. The article illustrates some basic definitions of cyberwarfare and cyber weapons proposed so far, as well as the international legal framework. Furthermore, the article addresses collateral damages and the role of the victims including illustrations of two paradigmatic cases of widely known cyberattacks.

2. What is Cyberwarfare?

Cyberwarfare is a complex phenomenon and raises many questions regarding definitions, differences with reference to other warfare, and finally compatibility with jus ad bellum and jus in bello international law. Some questions may be solved interpreting existing law, others remain open and without a clear solution.

Such complexity depends on the fact that attacks may differ sensibly depending on the final target, scope, hardware and software tools used. They all have in common the goal of exploiting computer systems and networks in order to achieve a military advantage. Considering the wide range of information technologies, scopes and targets, it is quite difficult to provide a comprehensive definition.

To date there are several attempts to define cyberwarfare:

As time goes on more details of the phenomenon are considered.[7] Some similarities may be noticed in such definitions or the definition of the much wider concept such as “information war,”[8] which might be found in the Annex I of the Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security: “confrontation between two or more states in the information space aimed at damaging information systems, processes and resources, critical and other structures, undermining political, economic and social systems, mass psychologic[al] brainwashing to destabilize society and state, as well as to force the state to taking decisions in the interest of the opposing party.”[9]

However, it is important to recognize that information war (information warfare) and cyberwarfare are two different concepts.

It is even more important to keep in mind that cyberwarfare, hacking, cracking and cyber incidents may be different concepts in a given situation and context. [10]

3. Difference Between Cyberwarfare and Other Types of Warfare.

Cyberwarfare differs from other types of warfare, as well as from other types of cyber related activities, in many aspects. We will highlight some of them.

First, cyberwarfare immediate targets are computer systems and networks and most cyberattacks are conducted through computers and computer networks. Nonetheless, computer systems and networks may be used to target physical systems and produce physical damages, death and injury. Second, cyberwarfare attacks may be planned to be executed in a very short lapse of time. Third, cyberwarfare activities, given how computer networks and particularly the Internet are designed, may be routed through many territories; hence, complex problems regarding laws of neutrality arise. Fourth, some cyberwarfare activities, aimed at creating kinetic attacks, may use the hardware and weapons of the enemy in order to execute the attack by remotely controlling them. Fifth, most cyberwarfare attacks may be launched in stealth mode, i.e. without identification of the attackers. And finally, many cyberwarfare activities may require the use of many computer techniques, technologies and malware or the exploitation of vulnerabilities in the targeted computer systems, as well as social engineering techniques in order to gain access to computer systems and networks.

Sometimes such activities require extensive study and design, a lot of programming and a multidisciplinary approach. A lot of investments and preparation may be needed for attacks that rarely may be launched more than once or replicated.

4. Cyberweapon: Definitions and an Example of Software Used.

One important question is whether the tools used for most cyberwarfare activities and attacks are to be considered weapons. Such problem has implications with regard to all international law dealing with armed attacks, the use of or threat to use the force and how to conduct hostilities. With regards to such aspects, two different points of view are to be pointed out. According to the first, a tool (hardware equipment or computer code) has to be considered as a weapon on the basis of its objective possibility to cause harm or to allow the execution of an attack. An example of such type of definition is: “a cyber weapon is the combination of a propagation method, exploits, and a payload designed to create destructive physical or digital effects.”[11]

The second approach requires to evaluate user’s or developer’s purpose in order to decide whether the tool (or tools) used are to be considered a cyberweapon: “a part of equipment, a device, or any set of computer instructions, used in a conflict among actors both National and non-National, with the purpose of causing (directly or otherwise) physical damage to objects or people, or of sabotaging and/or damaging in a direct way the information systems of a sensitive target of the attacked subject.”[12] Or, along the same lines, “cyber weapons are cyber means of warfare that are by design, use, or intended use capable of causing either (i) injury to, or death of, persons; or (ii) damage to, or destruction of objects, that is, causing the consequences required for qualification of a cyber operation as an attack.”[13]

Other authors define cyberweapons as a subset of weapons: “computer code that is used or designed to be used with the aim of threatening or causing physical, functional or mental harm to structures, systems or living beings.”[14] To date, there are numerous examples of cyberweapons. We will focus on what appears clearly to be an example of cyberweapon, regardless of the approach and point of view: Stuxnet.[15]

Stuxnet is a complex malware designed to search for a particular controlling system of specific industrial processes located in a closed network. Upon identification and penetration of such system, the malware was designed to damage a specific type of turbines and to create physical damage bypassing human and automated controls of the target industrial plant. The effect is similar to the one obtainable by destroying such turbines with conventional weapons (so called kinetic attack) during traditional warfare activity.

The features of the complex malware and the deep knowledge of the target systems indicate that it was specifically designed software, created by multidisciplinary team relying on a particular knowledge of the industrial processes that governed the target system.[16] As we shall see beyond, it seems the malware was developed to comply with most norms of international law.

5. Main International Law Issues Regarding Cyberwarfare

Analysis of the phenomenon and definitions of the concept are important in order to deal with the main international law issues, particularly with the jus ad bellum [17] and the jus in bello [18] norms. For where jus ad bellum is concerned, primary problems are whether cyberwarfare is to be considered as (i) “use of the force” according to the article 2(4) UN Charter, (ii) an “armed attack” under article 51 of the UN Charter and (iii) eventually if it gives the “right to self-defense.”[19]

With regard to jus in bello, cyberwarfare raises interesting problems regarding the possibility to apply existing international humanitarian law (IHL) norms. As a matter of fact, at the time of UN Charter drafting, cyberwarfare and cyberspace did not exist and so the question whether current international norms apply or whether new international norms are needed assumes a great relevance.[20]

On a regional scale, another key question is whether article 5 of the NATO treaty is to be applied to cyberwarfare activities.[21]

Regarding international law, a group of experts invited by an international center, the NATO Cooperative Cyber Defense Centre of Excellence (NATO CCD COE),[22] undertook a valuable initiative in order to create a manual governing cyberwarfare. Even if the manual (so called “Tallinn Manual”)[23] is not considered an official NATO document, just expressing the view of the experts and not the views of NATO CCD COE, it signals an important attempt to study cyberwarfare based on customary and conventional international law and to propose some clear rules of conduct.

The first edition of the manual was published in 2013 [24] and an extended second edition (so called Tallinn 2.0) was published in 2017.[25] The Tallinn 2.0 Manual was intended to supersede the first edition. However, both editions are important, as the comparison between them offers insight into the evolution of the debates.[26] Both editions of the manual were written with the contributions of groups of experts coordinated by Michael N. Schmitt, a leading scholar in the field.[27] In particular, one group included experts of the Law of the Armed Conflict (LOAC) and a second group was composed by experts in human rights, space law and international telecommunications law.

Originally, the experts came from countries mainly from the Western Hemisphere. For the Second Edition, a number of experts from Thailand, Japan, China and Belarus were invited. In addition, the International Committee of the Red Cross and other states and organizations were invited to send observers to both groups. Finally, portions of the texts were peer-reviewed.

The norms formulated by the experts consist in numbered rules and each rule is accompanied by a short commentary. Comments to each rule indicate the relevant existing international law norms and the interpretation process. The manual itself is written in a concise and clear manner and allows following transparently the reasoning behind each interpretation and formulation of rules. Moreover, it distinguishes the cases in which the experts reach a consensus from the ones in which their opinion differ.

6. Collateral Damages and Victims

Collateral damages may be defined as incidental death or injury of civilians or damage or destruction of civilian objects.[28] Preliminarily, as a general norm, based on article 51(5)(b) and article 57(2)(a)(iii) of the Additional Protocol I (AP I), the Tallinn Group of Experts proposed the rule 51 (rule 113 in the Second Edition), specifically regarding collateral damages: “a cyberattack … that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited.”

Such norm requires an evaluation of the possible harms and then to compare them to the concrete and direct military advantage that may be obtained by the cyber operation. In particular, the assessment must take into consideration both direct and indirect effects and so both the direct and indirect consequences of the operation. Moreover, the evaluation must be made at the time of designing, ordering and executing the attack and the military advantage should be considered as a whole and not with reference to a particular part of the attack. Additional rules are proposed and reinforce civilian protection and decrease of collateral damages.

Under the article 57(3) of AP I, only the target that will create less danger to civilian lives and objects should be chosen among equivalent targets (see Rule 56 of the Tallinn Manual and commentary, Rule 118 in the Second Edition). Article 57(2)(b) of AP I is the basis on which the attack must be suspended or cancelled if collateral damages would be excessive. It is interesting to notice that, in order to operate with respect to such rules, a continuous assessment and monitoring of the attack is necessary and that this activity can be carried on by technical and highly skilled personnel. Moreover, technical evaluations are to be coordinated with legal evaluation to ensure the operation complies with the law.

The provisions are to be appreciated in the context of other obligations. First, it is required to verify that the objectives are neither civilian nor civilian objects and are not subject to special protection, based on article 57(2)(a)(i) of AP I (see also Rules 53, 32 33, 34, 35, 37 of the Tallinn Manual, respectively Rules 113, 94, 95, 96, 97, 99 of the Second Edition). Second, a general obligation to spare the civilian population is imposed, based on article 57(1) of AP I (see Rule 52 of the Tallinn Manual). Third, it is necessary to choose means or methods of an attack with a view to avoid and minimize incidental injury to civilians, loss of civilian lives and damage or destruction of civilian objects, based on art. 57(2)(ii) of AP II (see also Rule 55 and 56 of the Tallinn Manual, respectively Rules 117 and 118 of the Second Edition).

Moreover, an obligation to choose targets between adequate targets that will create fewer dangers to civilian lives and objects is based on article 57(3) of AP I (see Rule 56 of the Tallinn Manual, Rule 118 of the Second Edition). There are general obligations to protect civilian population and objects during warfare. As a matter of fact, during warfare hitting civilian objects and property is prohibited, unless they are dual use and in this case an assessment of necessity and excess in comparison to the military advantage that must be gained. In particular, some categories may not be considered civilian or may be not considered such for a given period of time. For example, mercenaries may be considered as belligerents without combatants’ privileges. Civilians participating in cyber operations may lose protection as long as they participate in such operations. A problematic group is that of civilians participating in a levée en masse.[29]

Finally, a special duty is to take particular care during cyberattacks against works and installations containing dangerous forces, namely dams, dykes, and nuclear electrical generating stations, as well as installations located in their vicinity (see Rule 80 of the Tallinn Manual, Rule 140 in the Second Edition, based on article 56 AP I and art. 15 AP II). There are also relevant prohibitions to be considered: the first is the prohibition to attack with the aim at creating terror amongst civilians; the second prohibition is to destroy attack, remove or make useless objects necessary for the survival of civilians. Such norms must be read in connection with the norms regarding lawful targets and consider unlawful targets civilians, medical personnel, medical infrastructures, medical computer and networks, personnel and objects of third parties to the conflict trying to provide humanitarian aid, objects necessary for the survival of civilians.

A particularly interesting norm formulated in the Tallinn Manual is Rule 83 (Rule 143 in the Second Edition) based on the principle of distinction, articulating the prohibition to attack civilian objects, articles 35(3) and 55 of the Additional Protocol I:

There is unanimity of the international group of experts who contributed to the Tallinn Manual that the environment is a civilian object. According to them, who plans, approves or conducts a cyberattack must take precautions with respect to the expected collateral damage to the natural environment. In particular, the experts highlight that destruction of natural environment which is not justified by a military necessity is to be considered prohibited.

Cyberattacks may be divided into three groups:

The respect of the international law norms, as interpreted by the Tallinn group of experts, imposes to designers, decision makers and executors of an attack to pay much attention, to choose precise targets, to minimize collateral damages and to suspend or cancel attack in case collateral damages are excessive compared to the military advantages that may be obtained.

This raises difficulties given that sometimes it is not possible to distinguish a civilian from a military target on computer networks and that for many cyberattacks it is necessary to use the internet, a complex grid of networks, some of which are military and other civilian ones. However, it is established that indiscriminate cyberattacks, aimed at both civilian and military targets, should be considered prohibited. Again, a key question is what is an attack, what is an armed attack and when does an attack procure damage to civilians and objects.

In particular, the concept of damages is problematic when the attack causes temporary consequences on civilian property and activity [30] or how to assess whether an act is to be considered damage.[31]

So, in conclusion, should we assume that the norms expressed in the Tallinn Manual are an expression of international customary and conventional law, or at least a good attempt to interpret such law, the respect of such norms minimizes in any case the collateral damages in case of cyberwarfare, given that the actors are obliged to respect such norms when they design, decide and execute an attack?

At this point, technical problems arise with respect to cyberspace definition. As a matter of fact, it is neither obvious nor easy to identify whether a given user of computer is a civilian, a protected civilian, a mercenary, a military or a civilian hired as an auxiliary in a military structure. The same is for the protected objects and infrastructures for survival and medical purposes. Moreover, for what the Internet is concerned, it should be noted that on the one hand it is a structure used by both civilian and military subjects [32]; on the other hand it is so pervasive in everyday life that it may even be considered the entirely electronic man made environment around us.

7. Practical Cases

Many cases of cyberattacks occurred in the recent years. Some of them are disclosed, many of them likely remain unknown to the public and undocumented. Two paradigmatic cases are reported below:

7.1. The Stuxnet Case

The most famous is probably the Stuxnet case. This case took the name from the software used.[33] The worm was developed with a great investment in human resources and technology, with the aim to sabotage Iran’s nuclear program with what would seem like a long series of unfortunate accidents. However, authorship and attribution to a given state are not certain.[34] This virus infected a lot of computers in the entire world, but the researchers discovered that the software had a specific target. Stuxnet “is not going after computers or even Windows software in general, but a specific type of program used in Siemens’s WinCC/PCS 7 SCADA control software; ... Stuxnet only broke nuclear centrifuges, which Iran had illegally obtained to conduct illicit research. Moreover, it neither hurt nor killed anyone.”[35]

Although this worm worked only with this specific software, it infected thousands of computers. A lot of lawyers and researchers wondered about the ethics of this kind of attacks: “at face value, Stuxnet seems incredibly indiscriminate. While limited in the scope of its attacks compared to prior malware, this was a worm that still got around. It infected not just targets in Iran but thousands of computers across the world that had nothing to do with Iran or nuclear research. Many lawyers see this facet of cyber weapons as proof of their inherent violation of “prevailing codes of international laws of conflict, as they go beyond just the original target and deliberately target civilian personnel and infrastructure.”[36]

7.2. The Estonian DDoS-Attacks

In 2007 many websites of banks, governments, universities and newspapers experienced “Distributed Denial of Service.”[37] For several hours the financial institutions found their servers overwhelmed by requests generated by the botnets behind the attacks and the commerce worrying slowed down. There is more than a hypothesis about this attack and the evidence, confirmed, told the attack started from Russia, but there is no certainty about the motivation. Again, there are problems with authorship and attribution of the attacks.

This case is emblematic with regards to the effects on the population: people had no information, could not take money from the banks and could not perform other daily activities.[38] So with a simple DDoS attacks, the life and the economy of Estonia was stopped. Compared to the Stuxnet attack, which resulted in damage to physical objects, the effects of the DDoS were temporary.

8. Conclusion

This short survey on some of the key questions regarding cyberwarfare and collateral damages show the attempts of scholars to propose interpretations of existing customary and conventional law, with reference to a conventional framework drafted before an unpredictable evolution of information and telecommunications technology took place. Some questions can be solved interpreting existing international norms, while others remain still open. Complexity derives from the numerous techniques that may be used in cyber operations, from the difficulties to classify targets and from some structural differences of some types of cyber operations in comparison to operations using kinetic weaponry.

The diffusion of new technologies such as artificial intelligence, robotics and unmanned weapons and vehicles, as well as weapons with artificial intelligence and machine learning targeting systems, will generate even more complex legal problems to solve.

The international community has to find an agreed way to approach cyberwarfare along with the evolution of technology, in order not to unbalance or change the application of the fundamental principles regarding use of force, self-defense and the role of the United Nations for solving international conflicts. As a matter of fact, as time passes more aspects of cyberwarfare will be identified and it may be needed to update international law with aim to maintain the peace and peaceful relations between states.

There are many open questions about the applicable law and a general awareness that some cyberattacks could create even more damage than traditional attacks, especially if they are not carefully designed to minimize collateral damages. When considering collateral damage in light of the existing legal framework and in the absence of new norms, maximum care should be given to minimize the amount of collateral damages while upholding the tradition of International Humanitarian Law.



[1] See AC Legal.

[2] See DirICTo.

[3] Richard A. Clarke, Robert K. Knake, Cyberwar, Harper Collins, 2010.

[4]Nils Melzer, Cyberwarfare and the International Law, 2011.

[5] Samuel Liles, J. Eric Dietz, Marcus Rogers, Dean Larson, Applying Traditional Principles To Cyber Warfare, in 2012 - 4th International Conference on Cyber Conflict, edited by C. crossed, R. Ottis, K. Ziolkowaki, page 177.

[6] Stefano Mele, Legal Considerations on Cyber-Weapons and Their Definition, 3 Journal of Law and Cyber Warfare 52 (Spring 2014). See also, Stefano Mele, Cyber-Weapons: Legal and Strategic Aspects, version 2.0 (2013), (Italian Institute of Strategic Studies “Niccolò Macchiavelli”).

[7] Such evolutions are clearly visible when comparing the actual efforts to define Cyberwarfare with earlier attempts to do so, see for example the definition of Libicki in Martin C. Libicki, What is Information Warfare?, 1995. For a comparison between cybercrime, cyberattack and cyber warfare, see Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel , The Law of Cyber-Attack, California Law Review 100 (2012) 817.

[8] Martin C. Libicki, What Is Information Warfare? (1995).

[9] Annex I to the Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security of 16th June 2009.

[10] In order to get an idea about the significant differences between cyberwarfare, information warfare, cyber-attacks, and other cyber related activities, see the List of Significant Cyber Incidents Since 2006, compiled by the CSIS Center for Strategic & International Studies.

[11] Trey Herr, PrEP: A Framework for Malware & Cyber Weapons, Journal of Information Warfare, 2013, Vol. 13, No. 1, February 2014.

[12] Stefano Mele, Legal Considerations on Cyber-Weapons and Their Definition, Journal of Law and Cyber Warfare, Vol. 3, Spring 2014, Issue 1, page 58.

[13] See Michael N. Schmidt (Ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, 2013, Cambridge University Press.

[14] Thomas Rid, Peter McBurney (2012), Cyber-Weapons, The RUSI Journal, 157:1, 6-13, DOI: 10.1080/03071847.2012.664354. The authors discuss broadly the dual use of most weapons and therefore the importance of the psychological dimension of weapons, i.e. the offender’s intention to threaten harm or cause harm to a target. A similar approach is to define a weapon as “an object designed for, and developed or obtained for, the primary purpose of killing, maiming, injuring, damaging or destroying” and to assume that the same definition may be extended to cyber weapons. See Gary D. Brown, Andrew O. Metcalf, Easier Said Than Done: Legal Reviews of Cyber Weapons, Journal of National Security Law & Policy, 2014, Vol. 7:115.

[15] See also section 7.

[16] See Trey Herr, PrEP: A Framework for Malware & Cyber Weapons, Journal of Information Warfare, 2013, Vol. 13, No. 1, February 2014.

[17] The term is used to indicate international norms regulating the use of force of a state against another state. Its primary sources are customary law and articles 2(4), 41, 42 and 51 the UN Charter (see UN Charter). Jus ad bellum norms changed significantly after World War II, as a reaction to the terrible danger the whole mankind faced and the terrible consequences for the civilian population, properties and military personnel in a conflict that involved an unprecedented quantity of new and advanced weapon for mass destruction based on intensive scientific and industrial research and development.

[18] Jus in bello is also referred to as International Humanitarian Law, and consists of international norms regulating the obligations and conduct of belligerent states during hostilities, the way to conduct warfare. Its main sources are four Conventions signed in Geneva and three additional protocols, as well as numerous other international treaties (See (1) Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, signed in Geneva on 12th August 1949 (GC I), (2) Convention for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea, signed in Geneva on 12 August 1949 (GC II), (3) Convention relative to the Treatment of Prisoners of War, signed in Geneva on 12th August 1949 (GC III), (4) Convention relative to the Protection of Civilian Persons in Time of War, signed in Geneva on 12th August 1949 (GC IV), (5) Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts, 8th June 1977 (AP I), (6) Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of Non-International Armed Conflicts, 8th June 1977 (AP II), (7) Protocol additional to the Geneva Conventions of 12 August 1949, and relating to the Adoption of an Additional Distinctive Emblem, 8th December 2005 (AP III).)

[19] In fact, post-World War II jus ad bellum norms have the aim to relegate armed response, use or menace of the force and armed attacks as an extrema ratio, promoting instead peace and the pacific solutions of international disputes or internationally agreed measures, including use of force authorized by the UN Security Council and so collectively deliberated.

[20] For instance, art. 41 of UN Charter states that “the Security Council may decide what measures not involving the use of armed force are to be employed to give effect to its decisions, and it may call upon the Members of the United Nations to apply such measures. These may include complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of diplomatic relations." During the last twenty years, information and telecommunication technologies evolved in unpredictable ways. Today, such technologies are used not only for communicating but also for doing, i.e. for performing a lot of human activities and actions which once required physical goods to be transported from one place to another and people to move from one place to another and to perform a lot of physical actions not intermediated by computer systems and network platforms.

[21] See The New York Times.

[22] See CCDCOE About Us – History at https://ccdcoe.org/about-us/. See also CCDCOE Tallinn Manual 2.0 at https://ccdcoe.org/research/tallinn-manual/.

[23] See Michael N. Schmidt (Ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, 2013, Cambridge University Press, hereafter referred to as the “Tallinn Manual”.

[24] See Michael N. Schmidt (Ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, 2013, Cambridge University Press, hereafter referred to as the “Tallinn Manual”.

[25] See Michael N. Schmidt (Gen. Ed.) Liis Vihul (Man. Ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 2017, Cambridge University Press, hereafter referred to as the “Tallinn 2.0 Manual” or the “Second Edition”.

[26] For a longer review on the Second Edition, see Eric Talbot Jensen, The Tallinn Manual 2.0: Highlights and Insights, Georgetown Journal of International Law, Vol. 48, 2017, page 735 and Michael N. Schmitt, Peacetime Cyber Responses and Wartime Cyber Operations Under International Law: An Analytical Vade Mecum, Harvard National Security Journal, Vol. 8, 2017, page. 239.

[27] See Wikipedia; also see Tallinn Manual 2.0 on The International Law Applicable to Cyber Operations

[28] See commentary of Rule 51 of the Tallinn Manual (rule 113 of Tallinn 2.0 Manual) .

[29] See Christopher Waters, New Hacktivists and the Old Concept of Levée en Masse, Dalhousie Law Journal, 2014, Vol. 2, N. 2, Nils Melzer, Cyberwarfare and the International Law, 2011, page 33.

[30] Examples of temporary consequences are DOS (Denial of Service) attacks and DDOS (Distributed Denial of Service) attacks.

[31] For example, two interesting questions are whether a temporary use of internet bandwidth for propagating a malware or whether a malware, like Stuxnet, which activates only at specific conditions and in specific computers and stays inoculated but inactive in other computers, are to be considered damage. Another question regards the theft of data without damaging any computer system or network and without damaging the data.

[32] Ten years ago, estimates were that 95% of military information used civilian networks, at least in part; see Antolin-Jenkins, Cdr. Vida M., Defining the parameters of cyberwar operations: Looking for law in all the wrong places? Naval Law Review, 2005, 51.

[33] See the chapter 4 for a technical description of the software.

[34] Ellen Nakashima and Joby Warrick, Stuxnet was work of U.S. and Israeli experts, officials say.

[35] P. W. Singer, Stuxnet and Its Hidden Lessons on the Ethics of Cyberweapons, in Case Western Reserve Journal of International Law, 47 (2015).

[36] P. W. Singer, Stuxnet and Its Hidden Lessons on the Ethics of Cyberweapons, in Case Western Reserve Journal of International Law, 47 (2015).

[37] See University of Alabama at Birmingham for an interesting presentation about Estonia DDoS-attacks with a small historical introduction.

[38] See The 2007 Estonian Cyberattacks: New Frontiers in International Conflict.